Key developments
GitHub confirms theft of 3,800 internal repos
GitHub said on May 20 that it contained a compromise of an employee device involving a poisoned VS Code extension and that the activity appears limited to GitHub-internal repositories. VentureBeat reported the attackers exfiltrated roughly 3,800 internal repos, while GitHub said the claim was "directionally consistent" with its investigation and that critical secrets were rotated overnight. The breach is tied in reporting to TeamPCP/UNC6780, a supply-chain actor already linked to multiple Mini Shai-Hulud waves.
Why it matters
A single malicious extension appears to have exposed infrastructure code and secrets inside one of the world's most sensitive developer platforms.
Sources & driving stories
VENTUREBEAT · Louis Columbus
VentureBeat coverageTHE VERGE
The Verge coverageLondon police made over 700,000 data requests
The Register reported that London's Metropolitan Police sought access to private communications data from tech companies more than 700,000 times in 2025. Requests involving LycaMobile jumped from 15,702 to 93,527 year over year, and the force also sought data tied to privacy-focused services including Proton and Signal. Proton and Signal disputed parts of the police account, keeping metadata access and lawful request handling in the privacy spotlight.
Why it matters
The figures show how large-scale metadata collection has become in UK policing and how often privacy-protective services are pulled into it.
Sources & driving stories
THE REGISTER
The Register coverageCalifornia Senate advances child performer deletion bill
California's Senate passed SB 1247 on May 20 by a 38-0 vote, moving a new "right to delete" measure to the Assembly. The bill would require content creators who monetize posts featuring minor children to delete or edit that material if the child requests it after turning 18. Supporters framed the measure as a privacy and control right for former child performers in the social-media economy.
Why it matters
If enacted, the bill would give former child creators a direct statutory tool to reclaim control over monetized childhood content.
Sources & driving stories
CALIFORNIA STATE SENATOR STEVE PADILLA
California State Senator Steve Padilla coverageWorth noting
WORTH NOTING
Texas AG reviews Meta smart glasses
The Texas Attorney General is examining Meta's AI eyewear over camera, audio, and facial-geometry privacy risks, signaling fresh scrutiny of always-on wearable capture.
WORTH NOTING
CCDH flags Meta Medicare scam ads
A new report says Medicare scam ads generated 215 million impressions and disproportionately reached older users, highlighting persistent weaknesses in ad targeting oversight.
WORTH NOTING
California privacy fines keep climbing
Recent enforcement actions against Disney, Ford, and PlayOn reinforce that California regulators are still prioritizing opt-out friction, tracking, and notice failures.
Still unclear
OPEN QUESTION
How far did the GitHub breach spread?
GitHub has not named the poisoned extension or disclosed whether any secrets beyond internal repos were exposed, leaving the real blast radius unclear.
OPEN QUESTION
Will UK oversight constrain metadata requests?
The scale of the Met's communications-data requests raises the question of whether tighter safeguards or transparency requirements will follow.